Computer Crime Research Center


Protecting Privacy and Providing Security: A Case of Sensible Outsourcing

Date: November 08, 2004
Source: The Heritage Foundation
By: by James Jay Carafano, Ph.D., and Paul Rosenzweig

... processed in India.

In addition, the National Association of Soft­ware and Service Companies (NASSCOM), a major representative of software and service com­panies in India, has been advocating that Indian regulations should also meet U.S. industry specific requirements (e.g., the Health Insurance Portabil­ity and Accountability Act) as well as state laws. To improve the perception of security and the willing­ness to prosecute computer crimes, NASSCOM has also helped to establish designated cybercrime sections within police departments in which spe­cially trained investigators focus solely on com­puter crimes.

In the absence of a stronger protections regime, foreign outsourcing customers have had to incor­porate their privacy and data security require­ments into a legally binding contract with Indian vendors. Contracts with U.S. outsourcers fre­quently specify New York as the controlling juris­diction and require insurance, which is usually provided by a U.S. carrier. Contract remedies for breaches may be problematic, however, because determining an appropriate remedy or damage amount is frequently difficult.

The Next Steps

India’s current laws regarding electronic com­merce, copyright and patent protection, identity theft, privacy, and cyberterrorism must be strengthened. Revising the Information Technol­ogy Act of 2000 must be a priority, but more also needs to be done.

As promising as the growth of the Indian BPO sector and the effort of IT companies to perform due diligence in protecting information and ensur­ing continuity of service has been, more needs to be done for India to fulfill its potential as a global economic and security partner. According to the Financial Times, direct foreign investment in India is “anaemic,”—$4 billion compared to $50 billion for China.[14] The lack of foreign investment has hamstrung India’s efforts to expand and update its infrastructure, modernization that is critical to spurring further economic expansion. In large part, the lack of investment reflects the absence of reform in the Indian economy outside the IT sec­tor. According to the 2004 Index of Economic Free­dom, “the government continues to restrict 700 sectors to small-scale industries, preventing larger companies from taking advantage of economies of scale.”[15] Trade barriers and excessive regulation discourage overseas private investment. Addition­ally, artificial barriers that keep U.S. goods and ser­vices out of Indian markets have slowed the growth of robust U.S.–Indian partnerships. India should adopt reforms to reduce government regu­lations and liberalize its protectionist trade polices to encourage more foreign investments. A wave of bold reforms on the part of India would do much to strengthen U.S.–Indian economic ties, undercut unwarranted criticisms about outsourcing, and reduce concerns about potential security risks from BPO activities.

In turn, the United States should put in place the right framework to take full advantage of opportunities offered by Indian BPO companies. In particular, Congress should facilitate a predict­able business environment that will ensure that overseas companies will not be unfairly discrimi­nated against based on unwarranted security con­cerns. For example, Congress should remove Section 835 “Prohibition on Contracts with Cor­porate Expatriates” from the Homeland Security Act.[16] DHS should have the power to award con­tracts to any company that can perform services effectively, efficiently, and securely. Meanwhile, DHS and other federal agencies that may wish to outsource homeland security work overseas should establish programs similar to the Depart­ment of Defense’s National Industrial Security Pro­gram, in order to provide BPO companies with clear guidance about the requirements and stan­dards for performing security-related services.[17]

What the U.S. Government Should Do

India’s efforts to become a “trusted provider” of IT services are laudable. They have established the foundation for mutually beneficial economic and security partnership, one that could serve as a model for U.S. cooperation with other developing nations. More must be done, however, to fully exploit the potential of U.S.–Indian cooperation. While India should continue its efforts to create a strong privacy regime for all information being processed within the country, the U.S. government should:

* Consider outsourcing data processing where possible, but also be careful to choose compa­nies (and countries) that will provide the most security value for the money spent;
* Outsource data processing where appropriate, but ensure that the BPO vendor and the coun­try meet stringent privacy standards; and
* Eliminate regulatory barriers that impose unwarranted prohibitions against outsourcing.


The goal of increasing domestic security and protecting the privacy of U.S. citizens should not be an obstacle to strengthening economic ties with the developing world. Rather, market forces and sensible outsourcing can be used both to promote better global security practices and to encourage economic growth.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo